node-fetch and axios user agents
node-fetch and axios are widely used HTTP client libraries for Node.js. By default they send library-style user-agent tokens (node-fetch sets one automatically; axios may send a default or none depending on version and environment). Requests from these libraries are scripts or servers, not human browsers.
What this means
node-fetch is a light implementation of the Fetch API for Node.js; axios is a promise-based HTTP client used in both Node and browser contexts. In Node, both make server-side requests with no rendering engine, so they are not browsers.
node-fetch sets a default user-agent token identifying the library and its version. axios behaviour varies: in Node it has historically sent a default header in some versions and none in others, and developers frequently set a custom User-Agent. Treat any of these as a programmatic client.
How they identify themselves
When defaults are left in place, look for a node-fetch product token (with version) or an axios marker. Because these are easy to override, many real integrations send a custom application user agent instead, and some scrapers deliberately impersonate browsers.
Match on the library token where present, but combine it with behaviour: no Accept-Language, no Sec-CH-UA client hints, no asset/CSS/JS follow-up requests, and a flat request pattern all point to a script rather than a browser.
- node-fetch: sets a default library token with version
- axios (Node): default header varies by version; often customised
- No client hints and no sub-resource requests indicate a script
Allow, rate-limit, or block
Legitimate uses of these libraries include your own backend integrations, partner API calls, and monitoring. Identify those by an explicit custom user agent and, ideally, authentication.
For unwanted scraping that reuses raw defaults, rate-limiting by token plus behaviour is more robust than blocking a single string, since the user agent is trivially changed. Never rely on the user agent alone for access control.
How it appears in analytics and logs
A user agent containing a node-fetch token, or an axios default, indicates a Node.js program making HTTP requests — automation, not a human visit. Many developers also override these defaults, so absence of the token does not rule out a Node client.
Diagnostic use case
Identify server-to-server and scripted traffic from Node.js applications, and distinguish legitimate API integrations from scrapers reusing the same defaults.
What WebmasterID can help detect
WebmasterID classifies node-fetch and axios traffic as script/automation rather than human visits, so API and scraper activity shows up in bot-intelligence rather than inflating human page-view counts.
Common mistakes
- Assuming axios always sends a recognisable default — it often does not in Node.
- Counting node-fetch or axios requests as human page views.
- Blocking by the exact token only, when scrapers rotate or customise it.
Privacy and accuracy notes
These libraries are identified from the user-agent token alone. No human identity is involved — a script is not a person. WebmasterID records such requests as automation, separate from human analytics.
Related pages
- curl, wget and script user agents
Command-line and library HTTP clients send a default user agent that names the tool: curl/x.y, Wget, python-requests, Go-http-client, and similar. These are scripts, not browsers, and seeing them is normal. This page explains the patterns and how to treat them without over- or under-reacting.
- Go-http-client user agent
Programs built with Go's standard net/http client send a default user agent of the form Go-http-client/x.y. Seeing it means a Go application made the request — common for backend services, CLIs, and integrations. It is honest automation, not a browser, and the default can be overridden. This page covers the pattern.
- API client user agents (Postman, etc.)
Developers exercise APIs with tools like Postman, Insomnia, and HTTPie, each of which sends a recognisable default user agent (for example a PostmanRuntime token). Seeing these means someone is testing or scripting against your API, not browsing your pages. This page covers the patterns and how to read them.
- Bot intelligence
Categorise scripted HTTP clients separately from human browsers.
Sources and verification notes
- node-fetch — project repositorySets a default User-Agent header identifying the library.
- axios — project repositoryDefault UA behaviour varies by version and environment.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.